[Opensource] How to crypto the passwords?
Michael Rimov
rimovm at centercomp.com
Tue Aug 6 16:46:41 PDT 2002
At 02:55 PM 8/6/2002 -0300, you wrote:
>I tested and it worked, but why not to hash the passwords before saving
>them to the database? I really don`t understand...
Actually a couple of reasons:
1 - We don't have full support for hashed fields yet at the DBObject level,
thus DBMaint doesn't understand hashed fields. :( I've taken a couple of
shots at hashed fields and PBE fields, but so far haven't come up with
anything truly viable without some major DBObject rework (yet).
2 - Backwards compatibility. When this was first introduced, (I think I
wrote it for Expresso 3)... people literally had thousands of users in
their databases with plaintext passwords. Other than forcing admins to do
a batch process, there wasn't an easy way for people to be able to deal
with the conversion. This method allowed the admins to provide a slow, but
eventually effective automatic conversion process.
Now once we get built in support for hashed and encrypted fields in
DBObject, of course, it will be automatic the first time through. But that
has still to be implemented.
Hope this clarifies things!
-Mike
More information about the Opensource
mailing list